When the Lab Door Stays Open: Exposed Training Apps Exploited for Fortune 500 Cloud Breaches

Training apps like DVWA, Juice Shop, bWAPP, and Hackazon are commonly used to teach OWASP Top 10 vulnerabilities and support demos and proof-of-value exercises. The problem is that these intentionally vulnerable apps often escape lab boundaries and end up exposed on real infrastructure, including cloud environments connected to broader organizational systems. This session presents a research-driven investigation into how common these exposures are at scale, how they were found using OSINT search engines and fingerprinting techniques, and what happens after exploitation. Findings include a large pool of candidates narrowed to verified exposed training apps, many hosted on major cloud providers, and cases where cloud identities enabled access beyond the vulnerable app. It also covers evidence that some exposed environments were already compromised, including cryptomining campaigns and persistence mechanisms.

Видео When the Lab Door Stays Open: Exposed Training Apps Exploited for Fortune 500 Cloud Breaches канала Pentera